+-- On Tue, 16 Feb 2016, Gerd Hoffmann wrote --+ | > @@ -172,11 +172,18 @@ static void do_token_in(USBDevice *s, USBPacket *p) | > assert(p->ep->nr == 0); | > + if (s->setup_len > sizeof(s->data_buf)) { | > + fprintf(stderr, | > + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", | > + s->setup_len, sizeof(s->data_buf)); | > + p->status = USB_RET_STALL; | > + return; | > + } | | Why this is needed? All control transfers go through do_token_setup | first, so with the check moved in do_token_setup we should never ever | trigger it here ...
usb_handle_packet -> usb_process_one -> do_token_in Is it possible for a guest to call do_token_in, without calling do_token_setup first? Most drivers seem to have their own 'usb_packet_setup' routine. (to confirm) Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F